One of the world’s allegedly most prolific spamming operations inadvertently left backup databases accessible online, exposing upwards of 1.37 billion records and a raft of internal company information.
Chris Vickery, a security researcher who works for the anti-virus company MacKeeper, discovered the databases, which belong to a US-based email and SMS marketing company called River City Media. In some cases, the records include the names, IP addresses, zip codes and physical addresses associated with the email addresses.
The cause of the data exposure appears to be an oversight. The company used the rsync protocol to backup its MySQL databases. But those backup servers were not password-protected, Vickery says in an email to Information Security Media Group.
The leak could be one of the largest of all time, but it’s likely the databases contain duplicates. The databases, which were exposed for at least three months, have since been taken offline. It’s unclear if other fraudsters or hackers may have already stumbled upon it. Some of records were updated as recently as January.
“If the databases were to be released in the wild, the damage would be astounding,” Vickery says. “Abusive ex-boyfriends and stalkers everywhere would have a fresh new source of information on victims. You wouldn’t feel the damage all at once, but society would indeed suffer over time.”
Based on preliminarily checks, at least some of the exposed data is legitimate, Vickery writes in a blog post.
“Investigating names from the list, through social media and work websites, usually shows that the additional details in the entry are most likely accurate,” Vickery writes.
Worst-Spammer List Placement
Spamhaus, a U.K.-based spam-fighting organization, lists Alvin Slocombe and Matt Ferris as being affiliated with RCM, which is sometimes referred to as RCM Delivery. Slocombe is listed as Spamhaus’ number-nine worst spammer.
It’s not entirely clear how RCM compiled so many email addresses, but Vickery suspects several methods were used. The company may have obtained contact details from other marketers, who have collected personal information from people who have opted into third-party marketing, he writes.
It’s also possible that RCM, a small company, may have collected data from some of the large data breaches from over the last year, such as LinkedIn and MySpace, says Troy Hunt, an Australian data breach expert.
“There are literally billions of records out there that are easily obtainable,” he says.
Vickery shared the leaked data with Steve Ragan, editor of CSO online. Ragan reported on March 6 that leaked River City Media records document how the company ran email marketing campaigns mentioning brands such as Nike, MetLife, Victoria’s Secret, Kitchen Aid, Yankee Candle, Gillette, Dollar Shave Club and Clinique.
Ragan’s findings do not mean that those brands directly worked with River City Media. His story detailed a twisting chain of affiliate advertising companies that worked with River City Media to deliver marketing campaigns.
Aside from the emails and personal information, the leaked database contains a wealth of information on River City Media, including its affiliate advertiser clients, money paid to the company, internal chats and discussions of how it evaded spam filters.
River City Media appears to have developed an in-house tool that used a type of denial-of-service attack similar to Slowloris in order to quickly send a barrage of emails that would most likely have been blocked.
Vickery’s blog post includes a screenshot of a document that describes a tool known internally within RCM as “IPQ.” According to the document, IPQ was being used to send 150 million email messages per day to Yahoo, although it’s unclear when the document was written. In 2013, IPQ was used to send one billion messages to Google’s Gmail service, it says.
Another screenshot shows an internal chat where someone discusses the technique. Vickery writes it involves configuring an email server to send response packets slowly to another mail server while requesting more connections.
“Then, when the Gmail server is almost ready to give up and drop all connections, the spammer suddenly sends as many emails as possible through the pile of connection tunnels,” Vickery writes. “The receiving side is then overwhelmed with data and will quickly block the sender, but not before processing a large load of emails.”
Law Enforcement Notified
Vickery says he has notified law enforcement of the databases. Spamhaus has also blacklisted RCM’s infrastructure in an attempt to prevent future spam.
The leaked company-related documents has revealed that RCM was just one of many limited liability companies that the group used. The CEO of one of those other companies, Slip7 Media, did not immediately respond to ISMG’s request for comment.
The CEO deleted the reference to Slip7 Media on her LinkedIn profile after news broke of the leak.